SecurePay won the 2020 best paper award at the annual European Symposium on Security and Privacy (EuroS&P).
Mobile-based 2FA is known to suffer from certain attacks such as BAndroid. The main reason is the fact that the mobile phone is not strongly separated from the browser or an app during authentication. So if the attacker can compromise your phone, then they can also easily read your 2FA code e.g., sent via an SMS.
In our paper, we define the principles that are required for secure 2FA on mobile devices and show how previous systems fail to preserve these principles. SecurePay is a new system that enforces these principles using Trusted Execution Environment (TEE) support on ARM CPUs and a number of additional techniques. Since TEEs do not trust the underlying mobile OS, this means that even if the phone is compromised, the attacker cannot get access to the 2FA code. To further ensure security, we also formally verified that SecurePay indeed adheres to the desired security principles.